3.2.4.1 Establish SSTP Tunnel Event

  • Article

When the client establishes an SSTP tunnel to the remote SSTP server, the management layer on the client initiates the SSTP tunnel request to the SSTP layer. The management layer MAY direct the SSTP layer to bypass higher-layer authentication by initializing the ClientBypassHLAuth variable as TRUE and the ClientHTTPCookie variable with a name-value pair. In this scenario, the ClientHTTPCookie is trusted by the management layer on the SSTP server using an implementation-specific mechanism. See the Accept New Connection event (section 3.3.7.3) for more details on validating the name-value pair. The SSTP layer MUST first establish a bidirectional HTTPS session (for example, see section 4.1). The SSTP layer MUST first establish a bidirectional HTTPS session (for example, see section 4.1). The bidirectional HTTPS session MUST be established to a Universal Resource Identifier (URI) /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ by using the SSTP_DUPLEX_POST method. The content-length header field (section 14.13 of [RFC2616]) MUST be specified with the content length of ULONGLONG_MAX (18446744073709551615). The client SHOULD validate that the common name or the subject name in the server certificate (received as a part of the SSL/TLS handshake of the HTTPS session) is the same as the hostname to which the connection is being established. The client MUST also validate that the server certificate contains either "id-kp-serverAuth" or "anyExtendedKeyUsage" extended key usage (EKU). See [RFC5280] section 4.2.1.12 for details on "id-kp-serverAuth" or "anyExtendedKeyUsage".

 Method: SSTP_DUPLEX_POST
 Protocol Version: HTTP/1.1 
 SSTPCORRELATIONID: <GUID>

The client MAY also pass an optional query variable (as specified in section 3.2.2 of [RFC2616]) as part of the URI. The query variable, if set, MUST be named tenantid and SHOULD contain a string value that would be used by a HTTPS termination proxy in an implementation-specific way to indicate the tenant and its target SSTP server. A server that does not understand the tenantid query variable SHOULD ignore it.<7>

If ClientByPassHLAuth is set to TRUE, the client adds an HTTP cookie header (section 3.3.4 of [RFC2965]) with ClientHTTPCookie as the HTTP cookie.

The SSTP client SHOULD also send SSTPCORRELATIONID as an entity header field with a newly generated GUID string (for each new SSTP client connection attempt) as its value. The SSTP server SHOULD use this GUID value to log troubleshooting information specific to the particular SSTP connection. See [MS-DTYP] section 2.3.4.3 for the format of a GUID string.

If the HTTPS session failed to establish, the client MUST inform the higher layer about failure, and the SSTP state machine MUST NOT be initiated.

If the HTTPS session established successfully, the SSTP state machine MUST be initiated. The client then reads the server certificate hash from the HTTPS layer (see section 3.2.7.2) and stores the same in ClientCertificateHash. The client, which MUST be configured for PPP over SSTP, MUST send a Call Connect Request message with the Encapsulated Protocol ID that corresponds to PPP. For more information about PPP, see [RFC1661]. The client then updates CurrentState to Client_Connect_Request_Sent.